Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Masha Sedova discusses the challenges around phishing programs and shares best practices for managing and helping your highest-risk employees become low-risk.
is an award-winning cybersecurity expert, speaker, and trainer focused on helping companies transform their workforce from a security risk into a key element of cyberdefense. She is the co-founder and President of Elevate Security delivering a first-of-its-kind platform that enables organizations to identify risky employees, reduce the likelihood of future incidents, and proactively defend their workforce while ensuring a productive business. In 2021, Fast Company named her one of the most creative people in business. Masha has been a member of the board of directors for the National Cyber Security Alliance and a regular presenter at conferences such as Blackhat, RSA, OWASP, and SANS.
Phishing resilience is hard to measure, and most platforms focus on momentary measurement of a campaign in terms of employee success or failure. To more accurately gauge an organization’s ability to handle phishing attacks use metrics that demonstrate
employee risk type changes over time and identify risk distribution.
Masha: Running phishing simulations has been a best practice in security for the last 10 years. Today a typical phishing program will send out between 4-12 phishing emails a year to employees. Upon clicking a link, employees are directed to a training.
A phishing button is often provided as a reporting vehicle for both simulated and actual phishing attacks. More advanced options of these programs include:
As organizations come to the realization that click-through rates will never get to 0%, inevitably the question arises of ‘what is good enough?’. Do organizations need more phishing tests or less? Have better training? Impose restrictions
on ‘guilty’ individuals?
Ultimately, these are all the wrong questions because the problem we are trying to solve can’t be fixed with just simulated phishing. Let’s remember the problem we are trying to solve: Reduce the number of user-generated phishing incidents
that occur in our organizations. I can count on one hand the number of organizations that tracked phishing incidents reduction as a metric of simulated phishing programs.
In order to effectively tackle this problem, we need broader insights other than simulated phishing clicks. This includes insights into who is being targeted by attackers, who falls for actual phishing attacks, what compensating controls someone has,
and finally how much ‘security common sense’ they have when it comes to phishing.
Repeated research studies have shown that employees will consistently fall into 3 types of phishing risk: high, medium and low - click rates based on the average times they click during simulated phishing tests.
When considering risk it's not about the average employee click rate - - it's about the distribution of risk. What percentage of your employees are high risk? An effective program is all about managing and reducing the risk from your highest-risk employees.
Masha: Common metrics for programs today boil down to two numbers: average click rate and average reporting rate for an organization. These are regularly updated as new phishing tests are rolled out with the hope that clicks will decrease to 0% and reporting
rates will skyrocket.
Occasionally, click rate metrics are expanded into greater detail to include factors such as percentage of employees who: submitted credentials, downloaded attachments, or are repeat offenders.
However, there are two gaps in these metrics that organizations should consider when measuring their programs.
If your organization must benchmark against a single ‘click rate’, and it will never get to 0%, how do you determine what is an acceptable floor? What is a “good” click rate? There are a few options.
Masha: Enough is a function of the goals of phishing program. Given that 0% is not possible, here are best practice suggestions:
Research data indicates that after seven phishing tests, there's a plateau in risk reduction. This means that conducting more than seven tests might not provide significant incremental value in terms of improving employee behavior. After about a year
of simulations or 7-11 phishing tests, results stabilize (we see about a 5% click through rate ongoing).
It's not just about how many tests there are but also about considering the types of interventions. Beyond standard tests, strategies like phishing-resistant MFA, password manager use, and reducing MFA timeout can be more effective in managing and moving
high risk employees to a lower risk group.
Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed
security decisions that protect your business.
Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted
partner to provide the best decision support for your security team.
Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.